by Faith Haleh Robinson
Data protection is the process of safeguarding important information from any kind of loss or fraud, as well as protecting individual information during an exchange or transaction. It can directly affect customers’ trust in your business and, as a consequence, can also affect your reputation and revenue. For example, Marriott International was a victim of one of the largest data breaches in history. As a result of the breach, customer details were being accessed from as far back as 2014. As a result, the personal information of about 383 million customers was exposed.
It is a priority that hoteliers know how they can better protect their hotel and their guests, especially with all the vulnerabilities surrounding important data.
Data protection: How to protect your hotel and guests
A vast amount of personal information is shared online. From sending confirmation emails to recording data from guests, business owners need to be aware of the risks their hotels could encounter, both internally and externally.
Different types of data protection are:
- Confidential internal data: Hotel/business-specific information, i.e., bank accounts, email accounts, social media accounts, legal information, utilities, etc.
- Customer personal data: Guest names/addresses/user accounts, Social Security numbers, flight information, and room information
- Financial data: Credit/debit card numbers, payment account data (PayPal), guest bank information/accounts
The PCI (Payment Card Industry) Security Standards Council is designed to protect credit card holders and provide regulations to reduce credit card fraud. According to PCI standards, the best way to maximize the security of a cardholder’s data is to continuously monitor and enforce the use of controls specified within PCI standards. Becoming familiar with compliance standards from major credit cards that are a part of the PCI’s executive committee, such as American Express, Mastercard, Visa/Visa Europe, Discover, and JCB International, also is of major importance.
Analyzing how data is stored internally within your business is the first step to protecting you and your guests. Some questions that may help guide you to better assessing and defending your business are:
- What kind of information are you obtaining from your guests? For example, what kind of personal information is needed for your business (mailing addresses, emails, account information, etc.)? Is the information you are taking from your clients really essential for your hotel?
- What devices are being used to store guests’ information? Are you using the latest technology or services to secure this data?
- Who has access to the data? What kind of protection mechanisms are in place to help lower risks of cyberattacks?
- What kind of data is stored? What external and internal services are in place or being utilized? Who among your staff members has access to this type of information?
- What are the compliance requirements for data security? Are you learning about them and actively implementing them as you learn?
Answering these questions can help you better understand and evaluate how you are setting up a better defense system against certain cyberattacks and security breaches.
According to the Bureau of Justice Statistics, more than 50,000 violent crimes, combined with property crimes, struck hotels annually between 2004 and 2008.
As soon as customers walk into your hotel, hoteliers must ensure that their guests are safe within their property.
“Training is critical. Report anything suspicious, call 911,” said Alex Kramer, president of Elite Hotel Group, as advice to hotel owners.
Kramer reports from experience that hoteliers and their employees can witness suspicious activity or an act of violence at any moment while working. He says that there have been countless suspicious stories, quite commonly consisting of “guests” asking staff members to replace lost keys. Without asking for any kind of identification or confirming that the guest’s name matches with the name on file, the staff member may innocently give a person access to a room that is not theirs. Although the staff member may be unaware, this is a safety hazard and can leave room for crimes to occur. If the employee is trained to ask for a guest’s form of identification in these instances, it can greatly reduce the consequences of suspicious activity.
Of course, the guest may still say something like, “My ID is in my hotel room,” before shrugging their shoulders and expecting to receive a new key immediately.
In this situation, Kramer says, “Train your staff members to escort guests to their rooms so they can get their wallet or purse.” This is imperative in order to help prevent successful acts of suspicious activity and violence against guests at your hotel. Staff members need to be highly trained to keep a strict policy with guests, especially when those guests are asking for new room keys or any information pertaining to a specific individual’s room number. Always ask for identification when situations like these arise. The more well trained your staff members are in safety and security, the better protected your property will be.
Having additional help on your property, such as hiring security, also is hugely important. This is not only beneficial for your guests, but it also can reduce crime and theft rates in your establishment. Bringing in a security guard to monitor a hotel parking lot and the hallways inside the hotel can help reduce potential risks and also comes with the added bonus of giving guests peace of mind and assurance during their stay.
If hoteliers are faced with tight budgets and are not able to hire more help in the way of security, Kramer recommends having a good relationship with the local police force.
“We offer [the local police]free coffee and breakfast around the clock so they can patrol the area and even come inside. This way, they are around and show their presence. It’s a relatively inexpensive way of ensuring that you’re getting extra protection,” Kramer says.
Protect yourself and your business
Amber Welch, privacy technical lead at Schellman & Company, LLC, and cybersecurity expert, offers beneficial tips for hotel owners on how they can keep their business and guests protected:
- Change default hotel passwords on devices and property management systems.
Your PMS, such as AAHOA*PMS by Autoclerk, is the primary location where user data will be stored and processed, so protecting it is very important.
- Keep computers with administrative access locked away from guests.
For example, if you have a machine used for remote administrative access to the PMS, it should not be located in the business center or just behind the front desk. It should be secured, like paper records would be, in a management office that can be locked.
- Secure Wi-Fi and Ethernet ports (or remove them).
WPA2 enterprise for internal staff Wi-Fi and a captive portal for guest Wi-Fi should be two different networks and require different passcodes in order to access each. As far as Ethernet goes, you can simply remove faceplates with ports or drywall over them.
- Keep internal devices and systems off of guest Wi-Fi.
Internal devices are things that are connected to your PMS or any confidential data. This would be your employee desktop/laptop computers, any servers, and IoT devices like smart locks or CCTV. Guest Wi-Fi should not be used for these devices.
- Be careful of vendors that process data.
As an example, if you outsource your marketing to a company, that marketing company is a vendor that processes data because you give them personal information for the purpose of marketing for your hotel. Any company with access to customer, employee, or other personal and financial information could accidentally leak that information or even sell it illegally. Be smart about which vendors you trust with your data.
- Patch and update devices frequently.
A patch is a collection of updates and security fixes for systems and devices. Patches tend to be more specific to security flaws and vulnerabilities.
- The biggest vulnerabilities are vendor breaches, phishing attacks, not patching, and not encrypting data.
A vendor breach is when a vendor (contractor/sub-processor) is hacked and your company’s data is compromised. Patching is applying the patches addressed above within the appropriate timeline. Encryption is the use of coding to protect data at rest in a database or in transit over a network. If a patch is not updated in a timely manner, if a vendor is hacked, or if the hotel’s data is not correctly encrypted, it can result in a leakage of crucial and confidential information.
- Make sure vendors are contractually liable for breaches, obligated to inform you, and responsible for damages.
Know who you are hiring and their policies, as well as any updates they may undergo that may impact your business.
- Check out Cybrary.com for free security awareness training.
If you would like cybersecurity training, or would like your staff members to have additional training, cybrary.com may be a start to develop additional skills.
- Be careful of phishing attacks and use two-factor authentication whenever possible.
Phishing is a type of cyberattack that involves someone luring a target through email, texts, or telephone “fishing” for data and other personal information.
- Suggest hired technical professionals attend conferences and give them a training budget.
- Change guest Wi-Fi passwords quarterly or use a captive portal.